No more Email Log In?

[the_traveler]

He was logged out, I just had to log him back in - using his AGR number that in my computer's memory. BTW, I can do the exact same thing for his Delta Airlines SkyMiles account - just by entering his e-mail address and password (the same thing AGR asks for).

 

[Ryan]

That's a failure of a completely different type, and as you note has nothing to do with the topic of logging in with AGR number vs. email address. You've still got to know the password.

 

[the_traveler]

Likewise with AGR, if you are logged off and even if you know the e-mail, you still must know the password. So what is the difference if you use an e-mail address or an account number? :huh: I don't see how one is more secure - you need to know the password with both! :wacko:

 

[OlympianHiawatha]

Likewise with AGR, if you are logged off and even if you know the e-mail, you still must know the password. So what is the difference if you use an e-mail address or an account number? :huh: I don't see how one is more secure - you need to know the password with both! :wacko:

I haven't gone into my account in so long (Points always show on the cover screen) I forgot about having to enter a password as well. I guess I need to track that down.....

 

[user 1215]

This is super irritating. I can barely read the tiny numbers on my card. I actually have a card; I don't think they even issue then anymore. And who remembers their AGR number? I have to sign in to Amtrak, go to my profile, find my number, copy and paste it into the AGR login screen and how by then I can still remember my password.

Had no one talked to AGR Insider about this?

 

[jis]

Actually I do remember the AGR number as I also remember many other numbers and names and email addresses and passwords that I use often. But of course each individual's memorizing capacity may vary.

 

[Ryan]

/me raises his hand

Like many other things, it's burned into my brain. The repeating pattern in it probably helps.

Also, if you use something like LastPass, you don't have to remember anything, facilitating the use of different, secure passwords at every site you visit, which should be SOP for anyone on the internet these days.

 

[the_traveler]

I also remember my number. But also, if you're on your own computer (not a public one like at a library), you can have it "remember" your number. It's always pre-entered on my iPad when I go to my bookmarks. And if you enter the Points for Shopping portal via the link on your AGR account, it is automatically entered.

 

[StriderGDM]

AGR is probably doing this only to step up security-all someone needed to get into your account was an e-mail which is readily available. While they may not steal Points, they can sniff around your Profile information.

What are you talking about? Unless you can give us a step-by-step example for how someone could access a foreign profile with nothing but an email address I'm calling foul on this nonsensical claim.

It's not "nothing but the email address" but what's becoming increasing common is hackers will get a list of emails and passwords from a hack like the Target or recent Home Depot one and the run a script to try to log into as many sites as they can.

Once a hacker gets a list of emails and passwords from a compromised site, it's really just a matter of minutes before they either use the information, or sell it to the highest bidder(s).

If they (or others) use it, it's really a race at that point to see who can steal what accounts at that point.

As such,I HIGHLY recommend you don't use the same password on any multiple sites (or at least any sites you care about, like ones involving money).

Definitely do NOT use the same password to access your email (such as gmail, etc) as any other site since if I know your email address and email password, it's done. I can pretty much own any account of yours online in a matter of minutes.

That said, in this specific case I wonder if it's something else. From talking to an Amtrak rep awhile back, I learned that the AGR site was originally 3rd party and when it was brought entirely in-house is apparently when they added the account number OR email option. Wonder if something there has changed.

 

[Devil's Advocate]

AGR is probably doing this only to step up security-all someone needed to get into your account was an e-mail which is readily available. While they may not steal Points, they can sniff around your Profile information.

What are you talking about? Unless you can give us a step-by-step example for how someone could access a foreign profile with nothing but an email address I'm calling foul on this nonsensical claim.

It's not "nothing but the email address" but what's becoming increasing common is hackers will get a list of emails and passwords from a hack like the Target or recent Home Depot one and the run a script to try to log into as many sites as they can.

The primary problem with Target and Home Depot is our continuing lack of effective two factor authentication for credit and debit transactions. A rather obvious issue that Europe resolved by law two decades ago while we chose to allow the financial markets to self-regulate instead. As a result of this decision recouping losses from fraud in the form of inflated processing fees became yet another profit center and gave the banks a financial interest in leaving the door open. The idea that preventing the use of an email address during login would make your Target, Home Depot, or AGR account information safer is illogical. AGR account numbers are still being sent, displayed, and saved in clear text as part of AGR's website functionality and routine communications. Their forced use during login provides no additional safety whatsoever.

Also, if you use something like LastPass, you don't have to remember anything, facilitating the use of different, secure passwords at every site you visit, which should be SOP for anyone on the internet these days.

Last Pass is a great idea but the more popular it becomes the closer it gets to becoming the ultimate digital treasure chest. Last Pass uses conventional security protocols in order to work smoothly with the widest number of gadgets and devices. Unfortunately we currently live with a growing imbalance in security effectiveness that favors the success of nimble offensive attacks over relatively stagnant defensive prevention schemes, both in the technical sense and the social engineering angle. In addition legal penalties for breached data remain relatively weak and the recovery options for affected customers are limited. As a result we may be regressing back to the point where passwords written on paper and stored in a physical safe could become more effective than the very best cloud based solutions. Over time this trend may reverse and future security implementations may eventually overcome the gains made in digital fraud, but there's no telling how long that could take. Last Pass as a cloud service is a great idea that appears to either be ahead of its time or behind the curve.

 

[SarahZ]

This is super irritating. I can barely read the tiny numbers on my card. I actually have a card; I don't think they even issue then anymore. And who remembers their AGR number? I have to sign in to Amtrak, go to my profile, find my number, copy and paste it into the AGR login screen and how by then I can still remember my password.

Had no one talked to AGR Insider about this?

Do you have AGR linked to your Amtrak account? If so, just click the AGR link at the top right of the screen.



If you don't have it linked, I think you get something like 500 points for doing so.

I agree that it's still a pain to do it this way, but it saves a few steps (and you get points!)

I have to go through the Amtrak site at work since it's a shared computer and I don't store anything on it. My number is saved on my home computer, laptop, and phone. Chrome and Safari use the auto-fill feature and Keychain, respectively.

 

[SarahZ]

Home now. Resized the picture so it wasn't HUGE.

 

[StriderGDM]

AGR is probably doing this only to step up security-all someone needed to get into your account was an e-mail which is readily available. While they may not steal Points, they can sniff around your Profile information.

What are you talking about? Unless you can give us a step-by-step example for how someone could access a foreign profile with nothing but an email address I'm calling foul on this nonsensical claim.

It's not "nothing but the email address" but what's becoming increasing common is hackers will get a list of emails and passwords from a hack like the Target or recent Home Depot one and the run a script to try to log into as many sites as they can.

The primary problem with Target and Home Depot is our continuing lack of effective two factor authentication for credit and debit transactions. A rather obvious issue that Europe resolved by law two decades ago while we chose to allow the financial markets to self-regulate instead. As a result of this decision recouping losses from fraud in the form of inflated processing fees became yet another profit center and gave the banks a financial interest in leaving the door open. The idea that preventing the use of an email address during login would make your Target, Home Depot, or AGR account information safer is illogical. AGR account numbers are still being sent, displayed, and saved in clear text as part of AGR's website functionality and routine communications. Their forced use during login provides no additional safety whatsoever.

The lack of two-factor security is definitely an issue, but tangential to the user case I mentioned.

But my point stands. If a hacker has your email and password from one site, they will try it on 100s of others. That's standard procedure. If I hack your Target account, I might get your email and password, but I certainly wouldn't get your AGR account number. As such, I couldn't even TRY to log into your AGR account.

Also, as far as I can tell, the entire AGR site uses HTTPS, so nothing should be being sent in cleartext.

That all said, I do agree if they did this for security reasons, it's a pretty stupid reason.

 

[amamba]

/me raises his hand

Like many other things, it's burned into my brain. The repeating pattern in it probably helps.

Also, if you use something like LastPass, you don't have to remember anything, facilitating the use of different, secure passwords at every site you visit, which should be SOP for anyone on the internet these days.

Unless lastpass prompts you for the password, which you can't remember because your spouse set it up.....is that just me?!

 

[JayPea]

I too have my AGR number memorized. Like Ryan's, it has a repeating pattern that makes it easier to remember. I also have the vast majority of my other passwords and user names memorized. Most of those are remembered by the particular site as no one but me uses my computer. And just in case I also keep track of them the old fashioned way, written down and kept in a safe place.

 

[user 1215]

This is super irritating. I can barely read the tiny numbers on my card. I actually have a card; I don't think they even issue then anymore. And who remembers their AGR number? I have to sign in to Amtrak, go to my profile, find my number, copy and paste it into the AGR login screen and how by then I can still remember my password.

Had no one talked to AGR Insider about this?

Do you have AGR linked to your Amtrak account? If so, just click the AGR link at the top right of the screen.

[image removed for clarity]

If you don't have it linked, I think you get something like 500 points for doing so.

I agree that it's still a pain to do it this way, but it saves a few steps (and you get points!)

I have to go through the Amtrak site at work since it's a shared computer and I don't store anything on it. My number is saved on my home computer, laptop, and phone. Chrome and Safari use the auto-fill feature and Keychain, respectively.

They are linked. That's how I get to it. I generally access Amtrak.com and my AGR account from work, and they are always clearing my cookies, so I have to log into Amtrak to get my account info that helps me log into AGR.

Ooooo - didn't know that it'll open AGR with me signed in. Cooler than remember my ID to log into AGR straight.

 

[Just-Thinking-51]

Both Amtrak (29 Jan) and Starwood (23 Jan) has sent out e-mails in the last week. The short story is they are asking you to change your passwords. Starwood report a small number of accounts are having unauthorized activity. AGR just say it good idea to change your password.

One thinks this why AGR insider was so busy.

 

[AmtrakBlue]

Both Amtrak (29 Jan) and Starwood (23 Jan) has sent out e-mails in the last week. The short story is they are asking you to change your passwords. Starwood report a small number of accounts are having unauthorized activity. AGR just say it good idea to change your password.

One thinks this why AGR insider was so busy.

I think AGR Insider was busy getting all those legal connections back into the system for people wanting to do AGR trips using the EB.

 

[Just-Thinking-51]

I like your story better than mine. However I fear otherwise.

 

[Ryan]

Got the same email the other day, and my "something's off" antenna twitched a bit. Of course, good password security means if someone got it, they don't really have access to anything important.